To vulnerability is easy to exploit, but the attack surface may be small, said researchers at IBM in a blog post.

The company said it can only end up used against Nexus 5X devices that have the Android Debug Bridge (ADB) feature turned on.

The attacker would not need physical access as an attacker can infect a Nexus 5X owner’s PC or smart charger with malware. When the user connects the phone to their PC or charger (using the USB cable), the malware could exploit the flaw and dump the handset’s memory.

This happens because the malware can send commands to the ADB terminal, crashing it during a forced reboot. The malware then uses other tools to extract the phone’s memory, from where researchers said they were able to recover the password they set up for a device used during tests.

The vulnerability can also end up exploited with physical access to the device by sending all the commands by hand, instead of using automated scripts.

While the attack surface is small thanks to the low number of potentially affected devices, Nexus devices receive security updates on a regular basis from Google itself.